DRIVE ALIVE UK – DATA PROTECTION POLICY

​

This policy is written in accordance with the Data Protection Act 2018 and the General Data Protection Regulations 2018

 

INTRODUCTION:

Drive Alive UK Ltd needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees and other people the company has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards and to comply with the law. Drive Alive UK’s data protection policy is published on its website and advises customers, suppliers, business contacts, employees and others what collected data is being used for, how long it is kept and who it will be shared with.

​

WHY THIS POLICY EXISTS:

• This data protection policy ensures Drive Alive UK Ltd:

• Complies with The Data Protection Act 2018 and GDPR Regulations 2018 and follows good practise

• Protects the rights of staff, customers and partners

• Is open about how it stores and processes individuals’ data

• Protects itself from data breach

 

DATA PROTECTION LAW

The Data Protection Act 2018 and the GDPR Regulations of 2018 describes how organisations, including Drive Alive UK Ltd, must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act 2018 and the GDPR Regulations are underpinned by eight important principles which say that personal data must:

 

• Be processed fairly and lawfully

• Be obtained only for specific and lawful purposes

• Be adequate, relevant and not excessive

• Be accurate and be kept up to date

• Not to be held any longer than necessary

• Processed in accordance with the rights of data subjects

• Be protected in appropriate ways

• Not be transferred outside the European Economic Area (EEA) unless that country or territory also ensures an adequate level of protection

 

PEOPLE, RISKS AND RESPONSIBILITIES:

This policy applies to:

• The head office of Drive Alive UK Ltd

• All staff of Drive Alive UK Ltd

• All Consultants working on behalf of Drive Alive UK Ltd​

 

THE INFORMATION REQUIRED FROM INDIVIDUALS CAN INCLUDE:

• Names of individuals

• Postal addresses

• Email addresses

• Telephone Numbers

• Any other information relating to individuals that is relevant to the requirements of the business

 

DATA PROTECTION RISKS:

This policy helps to protect Drive Alive UK Ltd from some very real data security risks including:

• Breaches of confidentiality e.g. information given out inappropriately

• Failing to offer choice e.g. all individuals should be free to choose how the company uses data relating to them

• Reputational damage e.g. the company could suffer if hackers successfully gained access to sensitive data

 

RESPONSIBILITIES:

Everyone who works for or with Drive Alive UK Ltd has responsibility for ensuring that data is collected, stored and handled appropriately.

Every individual that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. These people have key areas of responsibility:

The Board of Directors is ultimately responsible for ensuring that Drive Alive UK Ltd meets its legal obligations

 

The Head of Compliance is responsible for:

• Keeping the Board updated about data protection responsibilities, risks and issues

• Reviewing all data held, data protection procedures and related policies in line with an agreed schedule

• Arranging data protection training and advice for people covered by this policy

• Handling data protection questions from staff and anyone else covered by this policy

• Dealing with requests from individuals to see the data Drive Alive UK Ltd holds about them (also called “subject access requests”)

• Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data

 

THE IT CONSULTANT IS RESPONSIBLE FOR:

• Ensuring all systems, services and equipment used for storing data meet acceptable security standards

• Performing regular checks and scans to ensure security hardware and software is functioning properly

• To detect, report and investigate a personal data breach if required

• Evaluating any third-party services the company is considering using to store or process data e.g. cloud computing services

 

THE CHIEF EXECUTIVE OFFICER IS RESPONSIBLE FOR:

• Approving any data protection statements attached to communications such as emails and letters

• Addressing any data protection queries from journalists, the media and the Information Commissioners Office

• Where necessary working with other staff to ensure marketing initiatives abide by data protection principles

• Supervising staff involved in data protection activities

 

 

GENERAL STAFF GUIDELINES:

The only people able to access data covered by this policy are those who need it for their work Data must not be shared informally. When access to confidential information is required employees can request it from their line manager. Drive Alive UK Ltd will provide training to all employees to help them understand their responsibilities when handling data. Employees must keep all data secure by taking sensible precautions and following the guidelines below. Strong passwords must be used and never be shared. Personal data must not be disclosed to unauthorised people, either within the company or externally. Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of in a safe manner. Employees and consultants should request help from the Head of Compliance or their line manager if they are unsure about any aspect of data protection. All staff members have an obligation to report data protection breaches to the Head of Compliance.

 

DATA STORAGE:

The following rules describe how and where data should be safely stored. Questions about storing data safely should be directed to the Head of Compliance or Drive Alive UK’s IT Consultant. When data is stored on paper it must be kept in a secure place where unauthorised people cannot see it. If data that is stored electronically has been printed out (when not required), the paper or files must be kept in a locked drawer or filing cabinet. Data printouts must be shredded and disposed of securely when no longer required. Data that is stored electronically is protected from unauthorised access, accidental deletion and malicious hacking attempts. Data is protected by strong passwords that are changed regularly and never shared between employees. Data that is stored on removable media (e.g. CD or DVD) is locked away securely when not being used. Data is stored on designated drives and servers and is only uploaded to an approved cloud computing service (Cloud 365). The server containing personal data is sited in a secure location away from general office space

​

Data is backed up frequently and these backups are tested regularly in line with company backup procedures. Personal data is never saved directly to laptops or other mobile devices such as tablets or smart phones. The server and computers containing data are protected by approved security software and a firewall.

 

DATA USE:

It is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft. When working with personal data employees must ensure that the screens of their computers are always locked when left unattended. Personal data must not be shared informally. Data must be encrypted before being transferred electronically. The IT consultant can explain how to send data to authorised external contacts. Personal data must never be transferred outside of the European Economic Area. Employees must not bring their own personal computers into the office.

 

DATA ACCURACY:

The law requires Drive Alive UK Ltd to take reasonable steps to ensure data is kept accurately and up to date.

Employees who work with data must ensure that it is:

• Retained accurately and is as up to date as possible

• Take every opportunity to ensure data is updated e.g. by confirming a customer’s details when they call

• Drive Alive UK Ltd makes it easy for data subjects to update the information that the company holds about them by using D.A.R.T.

• Data is updated or deleted by staff as inaccuracies are discovered

 

SUBJECT ACCESS REQUESTS:

Drive Alive UK Ltd aims to ensure that individuals are aware that their data is being processed and that they understand how the data is being used and how to exercise their rights. All individuals who are the subject of personal data held by Drive Alive UK Ltd are entitled to:

Ask what information the company holds about them and why. Information held on an individual is readily available on D.A.R.T. Ask how to gain access to it. Be informed how to keep it up to date. Be informed how the company is meeting its data protection obligations. If an individual or company contacts the Drive Alive UK requesting this information this is called a subject access request. Subject access requests from individuals should be made by email and addressed to the Head of Compliance who will carry out the following procedure:

​

• The Head of Compliance will request the individual to complete a standard request form

• The Head of Compliance will provide the relevant data to the individual or company within 14 days

• The Head of Compliance will verify the identity of anyone making a subject access request before handing over information

 

DISCLOSING DATA FOR OTHER REASONS:

In certain circumstances the Data Protection Act 2018 allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances Drive Alive UK Ltd will disclose requested data after ensuring that the request is legitimate and seeking assistance from the Board of Directors and from the company’s legal advisers where necessary.